2005-12-01 Love Hörnquist Åstrand <lha@it.su.se> * acquire_cred.c: 1.27: (acquire_acceptor_cred): only check if principal exists if we got called with principal as an argument. 1.26: (acquire_acceptor_cred): check that the acceptor exists in the keytab before returning ok. 2005-05-30 Love Hörnquist Åstrand <lha@it.su.se> * init_sec_context.c (init_auth): honor ok-as-delegate if local configuration approves * gssapi_locl.h: prototype for _gss_check_compat * compat.c: export check_compat as _gss_check_compat 2005-05-29 Love Hörnquist Åstrand <lha@it.su.se> * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid problems with system headerfiles that pollute the name space. * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid problems with system headerfiles that pollute the name space. 2005-05-17 Love Hörnquist Åstrand <lha@it.su.se> * init_sec_context.c (init_auth): set KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility), also while here, use krb5_auth_con_addflags 2005-05-06 Love Hörnquist Åstrand <lha@it.su.se> * arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap length. From: Tom Maher <tmaher@eecs.berkeley.edu> 2005-05-02 Dave Love <fx@gnu.org> * test_cred.c (main): Call setprogname. 2005-04-27 Love Hörnquist Åstrand <lha@it.su.se> * prefix all sequence symbols with _, they are not part of the GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com> 2005-04-10 Love Hörnquist Åstrand <lha@it.su.se> * accept_sec_context.c: break out the processing of the delegated credential to a separate function to make error handling easier, move the credential handling to after other setup is done * test_sequence.c: make less verbose in case of success * Makefile.am: add test_sequence to TESTS 2005-04-01 Love Hörnquist Åstrand <lha@it.su.se> * 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com> 2005-03-21 Love Hörnquist Åstrand <lha@it.su.se> * Makefile.am: use $(LIB_roken) 2005-03-16 Love Hörnquist Åstrand <lha@it.su.se> * display_status.c (gssapi_krb5_set_error_string): pass in the krb5_context to krb5_free_error_string 2005-03-15 Love Hörnquist Åstrand <lha@it.su.se> * display_status.c (gssapi_krb5_set_error_string): don't misuse the krb5_get_error_string api 2005-03-01 Love Hörnquist Åstrand <lha@it.su.se> * compat.c (_gss_DES3_get_mic_compat): don't unlock mutex here. Bug reported by Stefan Metzmacher <metze@samba.org> 2005-02-21 Luke Howard <lukeh@padl.com> * init_sec_context.c: don't call krb5_get_credentials() with KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache growing indefinitely as no key is found with KEYTYPE_NULL * compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is no longer used (however the mechListMIC behaviour is broken, rfc2478bis support requires the code in the mechglue branch) * init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG * gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 2005-01-05 Luke Howard <lukeh@padl.com> * 8003.c: use symbolic name for checksum type * accept_sec_context.c: allow client to indicate that subkey should be used * acquire_cred.c: plug leak * get_mic.c: use gss_krb5_get_subkey() instead of gss_krb5_get_{local,remote}key(), support KEYTYPE_ARCFOUR_56 * gssapi_local.c: use gss_krb5_get_subkey(), support KEYTYPE_ARCFOUR_56 * import_sec_context.c: plug leak * unwrap.c: use gss_krb5_get_subkey(), support KEYTYPE_ARCFOUR_56 * verify_mic.c: use gss_krb5_get_subkey(), support KEYTYPE_ARCFOUR_56 * wrap.c: use gss_krb5_get_subkey(), support KEYTYPE_ARCFOUR_56 2004-11-30 Love Hörnquist Åstrand <lha@it.su.se> * inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and gss_release_cred to avoid deadlock, from Luke Howard <lukeh@padl.com>. 2004-09-06 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context was renamed to gsskrb5_extract_authz_data_from_sec_context 2004-08-07 Love Hörnquist Åstrand <lha@it.su.se> * unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM> * arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM> 2004-05-06 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while here, write some text about the SPNEGO situation 2004-04-08 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/ 2004-04-07 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke Howard <lukeh@padl.com> * init_sec_context.c (spnego_reply): use _gss_spnego_require_mechlist_mic to figure out if we need to check MechListMIC; From: Luke Howard <lukeh@padl.com> * accept_sec_context.c (send_accept): use _gss_spnego_require_mechlist_mic to figure out if we need to send MechListMIC; From: Luke Howard <lukeh@padl.com> * gssapi_locl.h: add _gss_spnego_require_mechlist_mic From: Luke Howard <lukeh@padl.com> * compat.c: add _gss_spnego_require_mechlist_mic for compatibility with MS SPNEGO, From: Luke Howard <lukeh@padl.com> 2004-04-05 Love Hörnquist Åstrand <lha@it.su.se> * accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is an enctype, not keytype * accept_sec_context.c: use ASN1_MALLOC_ENCODE * init_sec_context.c: avoid the malloc loop and just allocate the propper amount of data * init_sec_context.c (spnego_initial): handle mech_token better 2004-03-19 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.h: add gss_krb5_get_tkt_flags * Makefile.am: add ticket_flags.c * ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke Howard <lukeh@PADL.COM> * gss_acquire_cred.3: document gss_krb5_get_tkt_flags 2004-03-14 Love Hörnquist Åstrand <lha@it.su.se> * acquire_cred.c (gss_acquire_cred): check usage before even bothering to process it, add both keytab and initial tgt if requested * wrap.c: support cfx, try to handle acceptor asserted subkey * unwrap.c: support cfx, try to handle acceptor asserted subkey * verify_mic.c: support cfx * get_mic.c: support cfx * test_sequence.c: handle changed signature of gssapi_msg_order_create * import_sec_context.c: handle acceptor asserted subkey * init_sec_context.c: handle acceptor asserted subkey * accept_sec_context.c: handle acceptor asserted subkey * sequence.c: add dummy use_64 argument to gssapi_msg_order_create * gssapi_locl.h: add partial support for CFX * Makefile.am (noinst_PROGRAMS) += test_cred * test_cred.c: gssapi credential testing * test_acquire_cred.c: fix comment 2004-03-07 Love Hörnquist Åstrand <lha@it.su.se> * arcfour.h: drop structures for message formats, no longer used * arcfour.c: comment describing message formats * accept_sec_context.c (spnego_accept_sec_context): make sure the length of the choice element doesn't overrun us * init_sec_context.c (spnego_reply): make sure the length of the choice element doesn't overrun us * spnego.asn1: move NegotiationToken to avoid warning * spnego.asn1: uncomment NegotiationToken * Makefile.am: spnego_files += asn1_NegotiationToken.x 2004-01-25 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.h: add gss_krb5_ccache_name * Makefile.am (libgssapi_la_SOURCES): += ccache_name.c * ccache_name.c (gss_krb5_ccache_name): help function enable to set krb5 name, using out_name argument makes function no longer thread-safe * gssapi.3: add missing gss_krb5_ references * gss_acquire_cred.3: document gss_krb5_ccache_name 2003-12-12 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: make rrc a modulus operation if its longer then the length of the message, noticed by Sam Hartman 2003-12-07 Love Hörnquist Åstrand <lha@it.su.se> * accept_sec_context.c: use krb5_auth_con_addflags 2003-12-05 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: Wrap token id was in wrong order, found by Sam Hartman 2003-12-04 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: add AcceptorSubkey (but no code understand it yet) ignore unknown token flags 2003-11-22 Love Hörnquist Åstrand <lha@it.su.se> * accept_sec_context.c: Don't require timestamp to be set on delegated token, its already protected by the outer token (and windows doesn't alway send it) Pointed out by Zi-Bin Yang <zbyang@decru.com> on heimdal-discuss 2003-11-14 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: fix {} error, pointed out by Liqiang Zhu 2003-11-10 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: Sequence number should be stored in bigendian order From: Luke Howard <lukeh@padl.com> 2003-11-09 Love Hörnquist Åstrand <lha@it.su.se> * delete_sec_context.c (gss_delete_sec_context): don't free ticket, krb5_free_ticket does that now 2003-11-06 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: checksum the header last in MIC token, update to -03 From: Luke Howard <lukeh@padl.com> 2003-10-07 Love Hörnquist Åstrand <lha@it.su.se> * add_cred.c: If its a MEMORY cc, make a copy. We need to do this since now gss_release_cred will destroy the cred. This should be really be solved a better way. * acquire_cred.c (gss_release_cred): if its a mcc, destroy it rather the just release it Found by: "Zi-Bin Yang" <zbyang@decru.com> * acquire_cred.c (acquire_initiator_cred): use kret instead of ret where appropriate 2003-09-30 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: spelling From: jmc <jmc@prioris.mini.pw.edu.pl> 2003-09-23 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: - EC and RRC are big-endian, not little-endian - The default is now to rotate regardless of GSS_C_DCE_STYLE. There are no longer any references to GSS_C_DCE_STYLE. - rrc_rotate() avoids allocating memory on the heap if rrc <= 256 From: Luke Howard <lukeh@padl.com> 2003-09-22 Love Hörnquist Åstrand <lha@it.su.se> * cfx.[ch]: rrc_rotate() was untested and broken, fix it. Set and verify wrap Token->Filler. Correct token ID for wrap tokens, were accidentally swapped with delete tokens. From: Luke Howard <lukeh@PADL.COM> 2003-09-21 Love Hörnquist Åstrand <lha@it.su.se> * cfx.[ch]: no ASN.1-ish header on per-message tokens From: Luke Howard <lukeh@PADL.COM> 2003-09-19 Love Hörnquist Åstrand <lha@it.su.se> * arcfour.h: remove depenency on gss_arcfour_mic_token and gss_arcfour_warp_token * arcfour.c: remove depenency on gss_arcfour_mic_token and gss_arcfour_warp_token 2003-09-18 Love Hörnquist Åstrand <lha@it.su.se> * 8003.c: remove #if 0'ed code 2003-09-17 Love Hörnquist Åstrand <lha@it.su.se> * accept_sec_context.c (gsskrb5_accept_sec_context): set sequence number when not requesting mutual auth From: Luke Howard <lukeh@PADL.COM> * init_sec_context.c (init_auth): set sequence number when not requesting mutual auth From: Luke Howard <lukeh@PADL.COM> 2003-09-16 Love Hörnquist Åstrand <lha@it.su.se> * arcfour.c (*): set minor_status (gss_wrap): set conf_state to conf_req_flags on success From: Luke Howard <lukeh@PADL.COM> * wrap.c (gss_wrap_size_limit): use existing function From: Luke Howard <lukeh@PADL.COM> 2003-09-12 Love Hörnquist Åstrand <lha@it.su.se> * indicate_mechs.c (gss_indicate_mechs): in case of error, free mech_set * indicate_mechs.c (gss_indicate_mechs): add SPNEGO 2003-09-10 Love Hörnquist Åstrand <lha@it.su.se> * init_sec_context.c (spnego_initial): catch errors and return them * init_sec_context.c (spnego_initial): add #if 0 out version of the CHOICE branch encoding, also where here, free no longer used memory 2003-09-09 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM * accept_sec_context.c: SPNEGO doesn't include gss wrapping on SubsequentContextToken like the Kerberos 5 mech does. * init_sec_context.c (spnego_reply): SPNEGO doesn't include gss wrapping on SubsequentContextToken like the Kerberos 5 mech does. Lets check for it anyway. * accept_sec_context.c: Add support for SPNEGO on the initator side. Implementation initially from Assar Westerlund, passes though quite a lot of hands before I commited it. * init_sec_context.c: Add support for SPNEGO on the initator side. Tested with ldap server on a Windows 2000 DC. Implementation initially from Assar Westerlund, passes though quite a lot of hands before I commited it. * gssapi.h: export GSS_SPNEGO_MECHANISM * gssapi_locl.h: include spnego_as.h add prototype for gssapi_krb5_get_mech * decapsulate.c (gssapi_krb5_get_mech): make non static * Makefile.am: build SPNEGO file 2003-09-08 Love Hörnquist Åstrand <lha@it.su.se> * external.c: SPENGO and IAKERB oids * spnego.asn1: SPENGO ASN1 2003-09-05 Love Hörnquist Åstrand <lha@it.su.se> * cfx.c: RRC also need to be zero before wraping them From: Luke Howard <lukeh@PADL.COM> 2003-09-04 Love Hörnquist Åstrand <lha@it.su.se> * encapsulate.c (gssapi_krb5_encap_length): don't return void 2003-09-03 Love Hörnquist Åstrand <lha@it.su.se> * verify_mic.c: switch from the des_ to the DES_ api * get_mic.c: switch from the des_ to the DES_ api * unwrap.c: switch from the des_ to the DES_ api * wrap.c: switch from the des_ to the DES_ api * cfx.c: EC is not included in the checksum since the length might change depending on the data. From: Luke Howard <lukeh@PADL.COM> * acquire_cred.c: use krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free 2003-09-01 Love Hörnquist Åstrand <lha@it.su.se> * copy_ccache.c: rename gss_krb5_extract_authz_data_from_sec_context to gsskrb5_extract_authz_data_from_sec_context * gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to gsskrb5_extract_authz_data_from_sec_context 2003-08-31 Love Hörnquist Åstrand <lha@it.su.se> * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): check that we have a ticket before we start to use it * gss_acquire_cred.3: document gss_krb5_extract_authz_data_from_sec_context * gssapi.h (gss_krb5_extract_authz_data_from_sec_context): return the kerberos authorizationdata, from idea of Luke Howard * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context): return the kerberos authorizationdata, from idea of Luke Howard * verify_mic.c (gss_verify_mic_internal): switch type and key argument 2003-08-30 Love Hörnquist Åstrand <lha@it.su.se> * cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation From: Luke Howard <lukeh@PADL.COM> 2003-08-28 Love Hörnquist Åstrand <lha@it.su.se> * arcfour.c (arcfour_mic_cksum): use free_Checksum to free the checksum * arcfour.h: swap two last arguments to verify_mic for consistency with des3 * wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h: prefix cfx symbols with _gssapi_ * arcfour.c: release the right buffer * arcfour.c: rename token structure in consistency with rest of GSS-API From: Luke Howard <lukeh@PADL.COM> * unwrap.c (unwrap_des3): use _gssapi_verify_pad (unwrap_des): use _gssapi_verify_pad * arcfour.c (_gssapi_wrap_arcfour): set the correct padding (_gssapi_unwrap_arcfour): verify and strip padding * gssapi_locl.h: added _gssapi_verify_pad * decapsulate.c (_gssapi_verify_pad): verify padding of a gss wrapped message and return its length * arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard <lukeh@PADL.COM> * arcfour.c: use right seal alg, inherit keytype from parent key * arcfour.c: include the confounder in the checksum use the right key usage number for warped/unwraped tokens * gssapi.h: add gss_krb5_nt_general_name as an mit compat glue (same as GSS_KRB5_NT_PRINCIPAL_NAME) * unwrap.c: hook in arcfour unwrap * wrap.c: hook in arcfour wrap * verify_mic.c: hook in arcfour verify_mic * get_mic.c: hook in arcfour get_mic * arcfour.c: implement wrap/unwarp * gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32 * 8003.c: add gssapi_{en,de}code_be_om_uint32 2003-08-27 Love Hörnquist Åstrand <lha@it.su.se> * arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right area. Swap filler check, it was reversed. * Makefile.am (libgssapi_la_SOURCES): += arcfour.c * gssapi_locl.h: include "arcfour.h" * arcfour.c: arcfour gss-api mech, get_mic/verify_mic working * arcfour.h: arcfour gss-api mech, get_mic/verify_mic working 2003-08-26 Love Hörnquist Åstrand <lha@it.su.se> * gssapi_locl.h: always include cfx.h add prototype for _gssapi_decapsulate * cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt from Luke Howard <lukeh@PADL.COM> * decapsulate.c: add _gssapi_decapsulate, from Luke Howard <lukeh@PADL.COM> 2003-08-25 Love Hörnquist Åstrand <lha@it.su.se> * unwrap.c: encap/decap now takes a oid if the enctype/keytype is arcfour, return error add hook for cfx * verify_mic.c: encap/decap now takes a oid if the enctype/keytype is arcfour, return error add hook for cfx * get_mic.c: encap/decap now takes a oid if the enctype/keytype is arcfour, return error add hook for cfx * accept_sec_context.c: encap/decap now takes a oid * init_sec_context.c: encap/decap now takes a oid * gssapi_locl.h: include cfx.h if we need it lifetime is a OM_uint32, depend on gssapi interface add all new encap/decap functions * decapsulate.c: add decap functions that doesn't take the token type also make all decap function take the oid mech that they should use * encapsulate.c: add encap functions that doesn't take the token type also make all encap function take the oid mech that they should use * sequence.c (elem_insert): fix a off by one index counter * inquire_cred.c (gss_inquire_cred): handle cred_handle beeing GSS_C_NO_CREDENTIAL and use the default cred then. 2003-08-19 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: break out extensions and document gsskrb5_register_acceptor_identity 2003-08-18 Love Hörnquist Åstrand <lha@it.su.se> * test_acquire_cred.c (print_time): time is returned in seconds from now, not unix time 2003-08-17 Love Hörnquist Åstrand <lha@it.su.se> * compat.c (check_compat): avoid leaking principal when finding a match * address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is a krb5_socklen_t * acquire_cred.c (gss_acquire_cred): 4th argument to gss_test_oid_set_member is a int 2003-07-22 Love Hörnquist Åstrand <lha@it.su.se> * init_sec_context.c (repl_mutual): don't set kerberos error where there was no kerberos error * gssapi_locl.h: Add destruction/creation prototypes and structure for the thread specific storage. * display_status.c: use thread specific storage to set/get the kerberos error message * init.c: Provide locking around the creation of the global krb5_context. Add destruction/creation functions for the thread specific storage that the error string handling is using. 2003-07-20 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: add missing prototype and missing .Ft arguments 2003-06-17 Love Hörnquist Åstrand <lha@it.su.se> * verify_mic.c: reorder code so sequence numbers can can be used * unwrap.c: reorder code so sequence numbers can can be used * sequence.c: remove unused function, indent, add gssapi_msg_order_f that filter gss flags to gss_msg_order flags * gssapi_locl.h: prototypes for gssapi_{encode_om_uint32,decode_om_uint32} add sequence number verifier prototypes * delete_sec_context.c: destroy sequence number verifier * init_sec_context.c: remember to free data use sequence number verifier * accept_sec_context.c: don't clear output_token twice remember to free data use sequence number verifier * 8003.c: export and rename encode_om_uint32/decode_om_uint32 and start to use them 2003-06-09 Johan Danielsson <joda@pdc.kth.se> * Makefile.am: can't have sequence.c in two different places 2003-06-06 Love Hörnquist Åstrand <lha@it.su.se> * test_sequence.c: check rollover, print summery * wrap.c (sub_wrap_size): gss_wrap_size_limit() has req_output_size and max_input_size around the wrong way -- it returns the output token size for a given input size, rather than the maximum input size for a given output token size. From: Luke Howard <lukeh@PADL.COM> 2003-06-05 Love Hörnquist Åstrand <lha@it.su.se> * gssapi_locl.h: add prototypes for sequence.c * Makefile.am (libgssapi_la_SOURCES): add sequence.c (test_sequence): build * sequence.c: sequence number checks, order and replay * test_sequence.c: sequence number checks, order and replay 2003-06-03 Love Hörnquist Åstrand <lha@it.su.se> * accept_sec_context.c (gss_accept_sec_context): make sure time is returned in seconds from now, not in kerberos time * acquire_cred.c (gss_aquire_cred): make sure time is returned in seconds from now, not in kerberos time * init_sec_context.c (init_auth): if the cred is expired before we tries to create a token, fail so the peer doesn't need reject us (*): make sure time is returned in seconds from now, not in kerberos time (repl_mutual): remember to unlock the context mutex * context_time.c (gss_context_time): remove unused variable * verify_mic.c: make sure minor_status is always set, pointed out by Luke Howard <lukeh@PADL.COM> 2003-05-21 Love Hörnquist Åstrand <lha@it.su.se> * *.[ch]: do some basic locking (no reference counting so contexts can be removed while still used) - don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct - make sure all lifetime are returned in seconds left until expired, not in unix epoch * gss_acquire_cred.3: document argument lifetime_rec to function gss_inquire_context 2003-05-17 Love Hörnquist Åstrand <lha@it.su.se> * test_acquire_cred.c: test gss_add_cred more then once 2003-05-06 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.h: if __cplusplus, wrap the extern variable (just to be safe) and functions in extern "C" { } 2003-04-30 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.3: more about the des3 mic mess * verify_mic.c (verify_mic_des3): always check if the mic is the correct mic or the mic that old heimdal would have generated 2003-04-28 Jacques Vidrine <nectar@kth.se> * verify_mic.c (verify_mic_des3): If MIC verification fails, retry using the `old' MIC computation (with zero IV). 2003-04-26 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: more about difference between comparing IN and MN * gss_acquire_cred.3: more about name type and access control 2003-04-25 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: document gss_context_time * context_time.c: if lifetime of context have expired, set time_rec to 0 and return GSS_S_CONTEXT_EXPIRED * gssapi.3: document [gssapi]correct_des3_mic [gssapi]broken_des3_mic * gss_acquire_cred.3: document gss_krb5_compat_des3_mic * compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3 mic compat (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too * gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off des3 mic compat (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if gss_krb5_compat_des3_mic exists 2003-04-24 Love Hörnquist Åstrand <lha@it.su.se> * Makefile.am: (libgssapi_la_LDFLAGS): update major version of gssapi for incompatiblity in 3des getmic support 2003-04-23 Love Hörnquist Åstrand <lha@it.su.se> * Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not ./libgssapi.la (make make -jN work) 2003-04-16 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.3: spelling * gss_acquire_cred.3: Change .Fd #include <header.h> to .In header.h, from Thomas Klausner <wiz@netbsd.org> 2003-04-06 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: spelling * Makefile.am: remove stuff that sneaked in with last commit * acquire_cred.c (acquire_initiator_cred): if the requested name isn't in the ccache, also check keytab. Extact the krbtgt for the default realm to check how long the credentials will last. * add_cred.c (gss_add_cred): don't create a new ccache, just open the old one; better check if output handle is compatible with new (copied) handle * test_acquire_cred.c: test gss_add_cred too 2003-04-03 Love Hörnquist Åstrand <lha@it.su.se> * Makefile.am: build test_acquire_cred * test_acquire_cred.c: simple gss_acquire_cred test 2003-04-02 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: s/gssapi/GSS-API/ 2003-03-19 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: document v1 interface (and that they are obsolete) 2003-03-18 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: list supported mechanism and nametypes 2003-03-16 Love Hörnquist Åstrand <lha@it.su.se> * gss_acquire_cred.3: text about gss_display_name * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 (libgssapi_la_SOURCES): add all new functions * gssapi.3: now that we have a functions, uncomment the missing ones * gss_acquire_cred.3: now that we have a functions, uncomment the missing ones * process_context_token.c: implement gss_process_context_token * inquire_names_for_mech.c: implement gss_inquire_names_for_mech * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech * add_cred.c: implement gss_add_cred * acquire_cred.c (gss_acquire_cred): more testing of input argument, make sure output arguments are ok, since we don't know the time_rec (for now), set it to time_req * export_sec_context.c: send lifetime, also set minor_status * get_mic.c: set minor_status * import_sec_context.c (gss_import_sec_context): add error checking, pick up lifetime (if there is no lifetime, use GSS_C_INDEFINITE) * init_sec_context.c: take care to set export value to something sane before we start so caller will have harmless values in them if then function fails * release_buffer.c (gss_release_buffer): set minor_status * wrap.c: make sure minor_status get set * verify_mic.c (gss_verify_mic_internal): rename verify_mic to gss_verify_mic_internal and let it take the type as an argument, (gss_verify_mic): call gss_verify_mic_internal set minor_status * unwrap.c: set minor_status * test_oid_set_member.c (gss_test_oid_set_member): use gss_oid_equal * release_oid_set.c (gss_release_oid_set): set minor_status * release_name.c (gss_release_name): set minor_status * release_cred.c (gss_release_cred): set minor_status * add_oid_set_member.c (gss_add_oid_set_member): set minor_status * compare_name.c (gss_compare_name): set minor_status * compat.c (check_compat): make sure ret have a defined value * context_time.c (gss_context_time): set minor_status * copy_ccache.c (gss_krb5_copy_ccache): set minor_status * create_emtpy_oid_set.c (gss_create_empty_oid_set): set minor_status * delete_sec_context.c (gss_delete_sec_context): set minor_status * display_name.c (gss_display_name): set minor_status * display_status.c (gss_display_status): use gss_oid_equal, handle supplementary errors * duplicate_name.c (gss_duplicate_name): set minor_status * inquire_context.c (gss_inquire_context): set lifetime_rec now when we know it, set minor_status * inquire_cred.c (gss_inquire_cred): take care to set export value to something sane before we start so caller will have harmless values in them if the function fails * accept_sec_context.c (gss_accept_sec_context): take care to set export value to something sane before we start so caller will have harmless values in them if then function fails, set lifetime from ticket expiration date * indicate_mechs.c (gss_indicate_mechs): use gss_create_empty_oid_set and gss_add_oid_set_member * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, since there is no ticket transfered in the exported context * export_name.c (gss_export_name): export name with GSS_C_NT_EXPORT_NAME wrapping, not just the principal * import_name.c (import_export_name): new function, parses a GSS_C_NT_EXPORT_NAME (import_krb5_name): factor out common code of parsing krb5 name (gss_oid_equal): rename from oid_equal * gssapi_locl.h: add prototypes for gss_oid_equal and gss_verify_mic_internal * gssapi.h: comment out the argument names 2003-03-15 Love Hörnquist Åstrand <lha@it.su.se> * gssapi.3: add LIST OF FUNCTIONS and copyright/license * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ * Makefile.am: man_MANS += gss_aquire_cred.3 2003-03-14 Love Hörnquist Åstrand <lha@it.su.se> * gss_aquire_cred.3: the gssapi api manpage 2003-03-03 Love Hörnquist Åstrand <lha@it.su.se> * inquire_context.c: (gss_inquire_context): rename argument open to open_context * gssapi.h (gss_inquire_context): rename argument open to open_context 2003-02-27 Love Hörnquist Åstrand <lha@it.su.se> * init_sec_context.c (do_delegation): remove unused variable subkey * gssapi.3: all 0.5.x version had broken token delegation 2003-02-21 Love Hörnquist Åstrand <lha@it.su.se> * (init_auth): only generate one subkey 2003-01-27 Love Hörnquist Åstrand <lha@it.su.se> * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform to rfc (and mit kerberos), provide backward compat hook * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and mit kerberos), provide backward compat hook * init_sec_context.c (init_auth): check if we need compat for older get_mic/verify_mic * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat * gssapi.h (more_flags): add COMPAT_OLD_DES3 * Makefile.am: add gssapi.3 and compat.c * gssapi.3: add gssapi COMPATIBILITY documentation * accept_sec_context.c (gss_accept_sec_context): check if we need compat for older get_mic/verify_mic * compat.c: check for compatiblity with other heimdal's 3des get_mic/verify_mic 2002-10-31 Johan Danielsson <joda@pdc.kth.se> * check return value from gssapi_krb5_init * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input 2002-09-03 Johan Danielsson <joda@pdc.kth.se> * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE 2002-09-02 Johan Danielsson <joda@pdc.kth.se> * init_sec_context.c: we need to generate a local subkey here 2002-08-20 Jacques Vidrine <n@nectar.com> * acquire_cred.c, inquire_cred.c, release_cred.c: Use default credential resolution if gss_acquire_cred is called with GSS_C_NO_NAME. 2002-06-20 Jacques Vidrine <n@nectar.com> * import_name.c: Compare name types by value if pointers do not match. Reported by: "Douglas E. Engert" <deengert@anl.gov> 2002-05-20 Jacques Vidrine <n@nectar.com> * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize the qop_state parameter. from Doug Rabson <dfr@nlsystems.com> 2002-05-09 Jacques Vidrine <n@nectar.com> * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH 2002-05-08 Jacques Vidrine <n@nectar.com> * acquire_cred.c: initialize gssapi; handle null desired_name 2002-03-22 Johan Danielsson <joda@pdc.kth.se> * Makefile.am: remove non-functional stuff accidentally committed 2002-03-11 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2 * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel bindings 2001-10-31 Jacques Vidrine <n@nectar.com> * get_mic.c (mic_des3): MIC computation using DES3/SHA1 was bogusly appending the message buffer to the result, overwriting a heap buffer in the process. 2001-08-29 Assar Westerlund <assar@sics.se> * 8003.c (gssapi_krb5_verify_8003_checksum, gssapi_krb5_create_8003_checksum): make more consistent by always returning an gssapi error and setting minor status. update callers 2001-08-28 Jacques Vidrine <n@nectar.com> * accept_sec_context.c: Create a cache for delegated credentials when needed. 2001-08-28 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2 2001-08-23 Assar Westerlund <assar@sics.se> * *.c: handle minor_status more consistently * display_status.c (gss_display_status): handle krb5_get_err_text failing 2001-08-15 Johan Danielsson <joda@pdc.kth.se> * gssapi_locl.h: fix prototype for gssapi_krb5_init 2001-08-13 Johan Danielsson <joda@pdc.kth.se> * accept_sec_context.c (gsskrb5_register_acceptor_identity): init context and check return value from kt_resolve * init.c: return error code 2001-07-19 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2 2001-07-12 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LIBADD): add required library dependencies 2001-07-06 Assar Westerlund <assar@sics.se> * accept_sec_context.c (gsskrb5_register_acceptor_identity): set the keytab to be used for gss_acquire_cred too' 2001-07-03 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2 2001-06-18 Assar Westerlund <assar@sics.se> * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey and gss_krb5_get_remotekey * verify_mic.c: update krb5_auth_con function names use gss_krb5_get_remotekey * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey and gss_krb5_get_remotekey * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey): add prototypes * get_mic.c: update krb5_auth_con function names. use gss_krb5_get_localkey * accept_sec_context.c: update krb5_auth_con function names 2001-05-17 Assar Westerlund <assar@sics.se> * Makefile.am: bump version to 3:1:2 2001-05-14 Assar Westerlund <assar@sics.se> * address_to_krb5addr.c: adapt to new address functions 2001-05-11 Assar Westerlund <assar@sics.se> * try to return the error string from libkrb5 where applicable 2001-05-08 Assar Westerlund <assar@sics.se> * delete_sec_context.c (gss_delete_sec_context): remember to free the memory used by the ticket itself. from <tmartin@mirapoint.com> 2001-05-04 Assar Westerlund <assar@sics.se> * gssapi_locl.h: add config.h for completeness * gssapi.h: remove config.h, this is an installed header file sys/types.h is not needed either 2001-03-12 Assar Westerlund <assar@sics.se> * acquire_cred.c (gss_acquire_cred): remove memory leaks. from Jason R Thorpe <thorpej@zembu.com> 2001-02-18 Assar Westerlund <assar@sics.se> * accept_sec_context.c (gss_accept_sec_context): either return gss_name NULL-ed or set * import_name.c: set minor_status in some cases where it was not done 2001-02-15 Assar Westerlund <assar@sics.se> * wrap.c: use krb5_generate_random_block for the confounders 2001-01-30 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2 * acquire_cred.c, init_sec_context.c, release_cred.c: add support for getting creds from a keytab, from fvdl@netbsd.org * copy_ccache.c: add gss_krb5_copy_ccache 2001-01-27 Assar Westerlund <assar@sics.se> * get_mic.c: cast parameters to des function to non-const pointers to handle the case where these functions actually take non-const des_cblock * 2001-01-09 Assar Westerlund <assar@sics.se> * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2 instead of krb5_rd_cred 2000-12-11 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1 2000-12-08 Assar Westerlund <assar@sics.se> * wrap.c (wrap_des3): use the checksum as ivec when encrypting the sequence number * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting the sequence number * init_sec_context.c (init_auth): always zero fwd_data 2000-12-06 Johan Danielsson <joda@pdc.kth.se> * accept_sec_context.c: de-pointerise auth_context parameter to krb5_mk_rep 2000-11-15 Assar Westerlund <assar@sics.se> * init_sec_context.c (init_auth): update to new krb5_build_authenticator 2000-09-19 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1 2000-08-27 Assar Westerlund <assar@sics.se> * init_sec_context.c: actually pay attention to `time_req' * init_sec_context.c: re-organize. leak less memory. * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey): update prototypes add assert.h * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD): add * verify_mic.c: re-organize and add 3DES code * wrap.c: re-organize and add 3DES code * unwrap.c: re-organize and add 3DES code * get_mic.c: re-organize and add 3DES code * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data', let the caller do that. fix the callers. 2000-08-16 Assar Westerlund <assar@sics.se> * Makefile.am: bump version to 2:1:1 2000-07-29 Assar Westerlund <assar@sics.se> * decapsulate.c (gssapi_krb5_verify_header): sanity-check length 2000-07-25 Johan Danielsson <joda@pdc.kth.se> * Makefile.am: bump version to 2:0:1 2000-07-22 Assar Westerlund <assar@sics.se> * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other details from rfc2744 2000-06-29 Assar Westerlund <assar@sics.se> * address_to_krb5addr.c (gss_address_to_krb5addr): actually use `int' instead of `sa_family_t' for the address family. 2000-06-21 Assar Westerlund <assar@sics.se> * add support for token delegation. From Daniel Kouril <kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz> 2000-05-15 Assar Westerlund <assar@sics.se> * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1 2000-04-12 Assar Westerlund <assar@sics.se> * release_oid_set.c (gss_release_oid_set): clear set for robustness. From GOMBAS Gabor <gombasg@inf.elte.hu> * release_name.c (gss_release_name): reset input_name for robustness. From GOMBAS Gabor <gombasg@inf.elte.hu> * release_buffer.c (gss_release_buffer): set value to NULL to be more robust. From GOMBAS Gabor <gombasg@inf.elte.hu> * add_oid_set_member.c (gss_add_oid_set_member): actually check if the oid is a member first. leave the oid_set unchanged if realloc fails. 2000-02-13 Assar Westerlund <assar@sics.se> * Makefile.am: set version to 1:0:1 2000-02-12 Assar Westerlund <assar@sics.se> * gssapi_locl.h: add flags for import/export * import_sec_context.c (import_sec_context: add flags for what fields are included. do not include the authenticator for now. * export_sec_context.c (export_sec_context: add flags for what fields are included. do not include the authenticator for now. * accept_sec_context.c (gss_accept_sec_context): set target in context_handle 2000-02-11 Assar Westerlund <assar@sics.se> * delete_sec_context.c (gss_delete_sec_context): set context to GSS_C_NO_CONTEXT * Makefile.am: add {export,import}_sec_context.c * export_sec_context.c: new file * import_sec_context.c: new file * accept_sec_context.c (gss_accept_sec_context): set trans flag 2000-02-07 Assar Westerlund <assar@sics.se> * Makefile.am: set version to 0:5:0 2000-01-26 Assar Westerlund <assar@sics.se> * delete_sec_context.c (gss_delete_sec_context): handle a NULL output_token * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some changes to libdes calls to make them more portable. * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha. some changes to libdes calls to make them more portable. * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some changes to libdes calls to make them more portable. * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some changes to libdes calls to make them more portable. * 8003.c: update to pseudo-standard APIs for md4,md5,sha. 2000-01-06 Assar Westerlund <assar@sics.se> * Makefile.am: set version to 0:4:0 1999-12-26 Assar Westerlund <assar@sics.se> * accept_sec_context.c (gss_accept_sec_context): always set `output_token' * init_sec_context.c (init_auth): always initialize `output_token' * delete_sec_context.c (gss_delete_sec_context): always set `output_token' 1999-12-06 Assar Westerlund <assar@sics.se> * Makefile.am: bump version to 0:3:0 1999-10-20 Assar Westerlund <assar@sics.se> * Makefile.am: set version to 0:2:0 1999-09-21 Assar Westerlund <assar@sics.se> * init_sec_context.c (gss_init_sec_context): initialize `ticket' * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick. * delete_sec_context.c (gss_delete_sec_context): free ticket * accept_sec_context.c (gss_accept_sec_context): stove away `krb5_ticket' in context so that ugly programs such as gss_nt_server can get at it. uck. 1999-09-20 Johan Danielsson <joda@pdc.kth.se> * accept_sec_context.c: set minor_status 1999-08-04 Assar Westerlund <assar@sics.se> * display_status.c (calling_error, routine_error): right shift the code to make it possible to index into the arrays 1999-07-28 Assar Westerlund <assar@sics.se> * gssapi.h (GSS_C_AF_INET6): add * import_name.c (import_hostbased_name): set minor_status 1999-07-26 Assar Westerlund <assar@sics.se> * Makefile.am: set version to 0:1:0 Wed Apr 7 14:05:15 1999 Johan Danielsson <joda@hella.pdc.kth.se> * display_status.c: set minor_status * init_sec_context.c: set minor_status * lib/gssapi/init.c: remove donep (check gssapi_krb5_context directly)